wmic — Windows Management Instrumentation CLI

What it is

wmic (Windows Management Instrumentation Command-line) is a built-in interface to the WMI subsystem — Windows' core inventory and management layer. It exposes hundreds of system classes (CPU, disk, process, service, BIOS, network adapter, installed software) through a command-line query interface with SQL-like WHERE clauses and selectable output formats. Use wmic when you need scriptable, machine-readable system inventory without PowerShell. Note: Microsoft has deprecated wmic in Windows 10 21H1+ and removed it from Windows 11 24H2; prefer Get-WmiObject or Get-CimInstance in PowerShell for new scripts.

Availability

wmic ships as C:\Windows\System32\wbem\WMIC.exe on Windows XP through Windows 10 (deprecated but present). Not available by default on Windows 11 24H2+.

wmic /?

Output:

[global switches] <command>

The following global switches are available:
/NAMESPACE           Path for the namespace the alias operates against.
/ROLE                Path for the role containing the alias definitions.
/NODE                Servers the alias will operate against.
/OUTPUT              Specifies the mode for output redirection.
/FORMAT              Specifies the keyword/XSL file to format output.
/INTERACTIVE         Sets or resets the interactive mode.
...

Syntax

wmic [global-options] <alias> [WHERE clause] <verb> [properties]

Output: (tabular or formatted WMI query result)

Essential aliases and verbs

Process information

wmic process exposes the same data as tasklist plus additional properties like command line, working directory, and creation date.

wmic process list brief

Output:

HandleCount  Name                    Priority  ProcessId  ThreadCount  WorkingSetSize
77           System Idle Process     0         0          8            8192
2382         System                  8         4          143          1482752
...
1547         notepad.exe             8         8420       4            24010752

wmic process where "name='notepad.exe'" get ProcessId,WorkingSetSize,CommandLine

Output:

CommandLine                     ProcessId  WorkingSetSize
"C:\Windows\notepad.exe"        8420       24010752

Installed software

wmic product queries the MSI installer database for installed applications — slow but comprehensive.

wmic product get name,version,vendor

Output:

Name                        Vendor              Version
Microsoft Visual C++ 2022   Microsoft           14.38.33135
7-Zip 23.01                 Igor Pavlov         23.01.00.0
Google Chrome               Google LLC          123.0.6312.122

rem Find a specific application
wmic product where "name like '%chrome%'" get name,version

Output:

Name            Version
Google Chrome   123.0.6312.122

Hardware information

wmic cpu, wmic memorychip, and wmic bios surface detailed hardware metadata useful in support scripts and asset inventory.

wmic cpu get name,NumberOfCores,NumberOfLogicalProcessors,MaxClockSpeed

Output:

MaxClockSpeed  Name                                      NumberOfCores  NumberOfLogicalProcessors
3600           Intel(R) Core(TM) i7-12700K CPU @ 3.60GHz  12             20

wmic memorychip get capacity,speed,manufacturer

Output:

Capacity      Manufacturer  Speed
17179869184   Samsung       3200
17179869184   Samsung       3200

wmic bios get smbiosbiosversion,manufacturer,releasedate

Output:

Manufacturer          ReleaseDate             SMBIOSBIOSVersion
American Megatrends   20231015000000.000000+000  1.A0

Disk and volume information

wmic logicaldisk reports free space, total size, and drive type for each logical drive.

wmic logicaldisk get deviceid,freespace,size,drivetype

Output:

DeviceID  DriveType  FreeSpace       Size
C:        3          52428800000     512110190592
D:        3          107374182400    2000398934016

DriveType: 2=Removable, 3=Local disk, 4=Network, 5=CD/DVD.

wmic logicaldisk where "drivetype=3" get deviceid,freespace,size

Output:

DeviceID  FreeSpace       Size
C:        52428800000     512110190592
D:        107374182400    2000398934016

Services

wmic service lists services with their start mode, state, and path.

wmic service where "state='running'" get name,startmode,pathname

Output:

Name           PathName                                          StartMode
Spooler        C:\Windows\System32\spoolsv.exe                  Auto
wuauserv       C:\Windows\system32\svchost.exe -k netsvcs       Manual
...

rem Start or stop a service via wmic
wmic service where "name='spooler'" call startservice

Output:

Executing (Win32_Service.Name="spooler")->StartService()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};

Output formats

/format controls output layout. Useful values: TABLE (default), LIST, CSV, VALUE.

wmic os get caption,version,buildnumber /format:csv

Output:

Node,BuildNumber,Caption,Version
MYHOST,22631,Microsoft Windows 11 Pro,10.0.22631

wmic cpu get name /format:list

Output:

Name=Intel(R) Core(TM) i7-12700K CPU @ 3.60GHz

Installed patches (/qfe)

wmic qfe (Quick Fix Engineering) lists installed Windows patches with KB numbers, install dates, and who installed them.

wmic qfe get hotfixid,installedon,description

Output:

Description      HotFixID    InstalledOn
Update           KB5034441   1/10/2026
Security Update  KB5035942   3/12/2026

Common pitfalls

1. wmic product is very slow — it enumerates the MSI installer database; expect 10–30 seconds on machines with many packages; prefer winget list or registry queries for faster results.
2. Deprecated on Windows 11 24H2+ — scripts relying on wmic will break; migrate to Get-CimInstance (PowerShell) as a direct replacement.
3. WHERE clause uses single quotes for string values — where "name='notepad.exe'" (single inside double); mixing quote styles breaks the filter.
4. Output encoding is UTF-16 LE — piping wmic output to findstr or for /f can garble Unicode characters; add | more or redirect to a file first.
5. wmic process call terminate — terminates a process without the /F of taskkill; the process may not honour the termination request.
6. Node queries require DCOM firewall rule on target — remote /node:hostname queries need the Remote Administration firewall exception enabled on the target machine.

Real-world recipes

Collect system inventory to a CSV

@echo off
echo Collecting inventory for %COMPUTERNAME%...
wmic os get caption,version,buildnumber /format:csv > inventory.csv
wmic cpu get name,numberofcores /format:csv >> inventory.csv
wmic logicaldisk where "drivetype=3" get deviceid,freespace,size /format:csv >> inventory.csv
echo Done. See inventory.csv.

Output:

Collecting inventory for MYHOST...
Done. See inventory.csv.

Find processes using more than 200 MB

wmic process where "workingsetsize > 209715200" get name,processid,workingsetsize

Output:

Name           ProcessId  WorkingSetSize
chrome.exe     6124       524288000
outlook.exe    7890       314572800

List all startup programs

wmic startup get caption,command,location

Output:

Caption        Command                                     Location
OneDrive       "C:\Users\alicedev\OneDrive\OneDrive.exe"  HKU\S-1-5-21-...\...\Run
Slack          C:\Users\alicedev\AppData\...\slack.exe    HKLM\SOFTWARE\Microsoft\Windows\...\Run

Deprecation in 2026 and the migration story

wmic is on a hard deadline. Microsoft announced deprecation in Windows 10 21H1 (May 2021), removed the binary from default Windows 11 installations starting with 24H2 (October 2024) where it remained available as a Feature on Demand (FoD), and has confirmed full removal in the next Windows feature update of 2026 — at which point it will not be available as a FoD either. Windows Server 2025 follows the same trajectory.

What this means in practice:

• Existing scripts on 22H2/older hosts still work — wmic is functional, just not recommended.
• 24H2 / 25H2 hosts can reinstall WMIC as an optional capability today, but planning to lean on this is short-lived — the FoD itself is going away in 2026.
• New scripts should target Get-CimInstance (PowerShell 5.1+) or, for C#/.NET, the System.Management namespace. Get-WmiObject (legacy PowerShell only — also deprecated, see below) is removed in PowerShell 6+. CIM is the long-term API.
• Bare cmd shells lose wmic entirely on 24H2; cmd scripts that must keep working should either embed powershell -Command "..." calls or be rewritten in PowerShell.
• Server Core and modern shipped Windows install without WMIC by default; do not assume it exists.

To check whether wmic is present on the current host:

where wmic

Output on a 22H2 host:

C:\Windows\System32\wbem\WMIC.exe

Output on a 24H2 host without the optional feature:

INFO: Could not find files for the given pattern(s).

To install the optional feature in script on 24H2/25H2 (admin required, soon to be ineffective):

Add-WindowsCapability -Online -Name "WMIC~~~~"

Output:

Path          :
Online        : True
RestartNeeded : False

Microsoft has confirmed the FoD itself will be removed in the next 2026 feature update. After that, no in-box mechanism will restore wmic — the only path is Get-CimInstance / System.Management. Treat any wmic-using script as actively decaying technical debt and migrate before the next Windows upgrade hits your fleet.

Get-CimInstance — the modern replacement

Get-CimInstance (alias gcim) is the PowerShell cmdlet that talks to the same WMI subsystem wmic does, but through the cross-platform WS-MAN/WinRM stack. It returns rich CIM objects, supports asynchronous and remote operations via CimSession, and is present in every supported PowerShell version (5.1, 7.x, future).

Direct command translation

Filter language differences

The wmic WHERE clause and the CIM -Filter both speak WQL (WMI Query Language), so most filter syntax transfers directly:

Get-CimInstance Win32_Process -Filter "Name LIKE '%chrome%' AND WorkingSetSize > 100000000"

Output:

ProcessId Name        HandleCount  WorkingSetSize
--------- ----        -----------  --------------
     6124 chrome.exe         3210     537400320
     6130 chrome.exe         1248     224870400

Differences to watch for:

• String quoting: wmic uses single quotes inside double quotes (where "name='x'"); Get-CimInstance is more forgiving but the recommended form is single quotes around values (-Filter "Name='x'").
• LIKE wildcards use % in both (SQL-style), not the */? of glob patterns.
• -Query accepts a full WQL string for queries CIM can't express via simple filters: Get-CimInstance -Query "ASSOCIATORS OF {Win32_Process.Handle=8420} WHERE ResultClass=Win32_Thread".

Method invocation

wmic process call terminate and wmic service call startservice become Invoke-CimMethod:

Get-CimInstance Win32_Process -Filter "Name='notepad.exe'" |
    Invoke-CimMethod -MethodName Terminate

Output:

ReturnValue PSComputerName
----------- --------------
          0

Invoke-CimMethod -ClassName Win32_Service -MethodName Create -Arguments @{
    Name        = 'MySvc'
    DisplayName = 'My Background Service'
    PathName    = 'C:\Tools\myservice.exe'
    ServiceType = [byte]16
    StartMode   = 'Automatic'
    ErrorControl = [byte]1
}

Output:

ReturnValue PSComputerName
----------- --------------
          0

Remote queries via CimSession

The reason to prefer CIM in scripts that touch more than one machine: a CimSession reuses the WinRM connection, which is fast and credential-aware. The equivalent wmic /node:host pattern opens a fresh DCOM connection per call.

$s = New-CimSession -ComputerName host1,host2,host3
Get-CimInstance -ClassName Win32_OperatingSystem -CimSession $s |
    Select-Object PSComputerName, Caption, Version, LastBootUpTime
Remove-CimSession $s

Output:

PSComputerName Caption                          Version       LastBootUpTime
-------------- -------                          -------       --------------
host1          Microsoft Windows 11 Pro         10.0.22631    5/22/2026 8:14:00 AM
host2          Microsoft Windows Server 2022    10.0.20348    5/21/2026 2:00:00 AM
host3          Microsoft Windows 10 Enterprise  10.0.19045    5/23/2026 6:30:00 AM

CimSession defaults to WS-MAN (WinRM, port 5985/5986); for hosts that only have DCOM enabled use -SessionOption (New-CimSessionOption -Protocol DCOM).

Get-WmiObject deprecation

Get-WmiObject is the older PowerShell cmdlet that predates CIM. It uses pure DCOM and exposes a [System.Management.ManagementObject] rather than a CIM instance. Microsoft has marked it deprecated:

• PowerShell 5.1 — still present, still works, no warning.
• PowerShell 6+ / 7 — removed entirely. Get-WmiObject does not exist. Scripts must use Get-CimInstance instead.
• Cross-version code — only Get-CimInstance runs everywhere; prefer it unconditionally in new code.

The mechanical migration is usually safe: replace Get-WmiObject with Get-CimInstance, Invoke-WmiMethod -ArgumentList @(...) with Invoke-CimMethod -Arguments @{...} (note the positional → hashtable change), and adjust property type expectations (CIM dates are [DateTime] rather than the WMI string format 20240315000000.000000+000).

CIM namespaces and class discovery

wmic aliases hide the underlying namespace and class. CIM exposes them directly, which is essential when working with non-default namespaces — Hyper-V, Storage Spaces, MDT, Configuration Manager, antivirus vendors, etc.

# List all CIM namespaces
Get-CimInstance -Namespace root -ClassName __Namespace | Select Name

Output:

Name
----
subscription
DEFAULT
CIMV2
Microsoft
WMI
SecurityCenter2
Hardware
Interop
StandardCimv2
ServerManager
ManagementProvider
Hyper-V

# List all classes in a namespace whose name matches a pattern
Get-CimClass -Namespace root/Microsoft/Windows/Storage |
    Where-Object CimClassName -like 'MSFT_*Disk' |
    Select CimClassName

Output:

CimClassName
------------
MSFT_Disk
MSFT_DiskImage
MSFT_PhysicalDisk
MSFT_VirtualDisk

Common namespaces:

Working in non-default namespaces is the main reason serious admins moved off wmic — wmic aliases only cover root\cimv2.

Comparison: wmic vs Get-CimInstance vs Get-WmiObject vs PowerShell native

For most everyday queries Windows now ships three or four cmdlets that overlap with wmic on different axes. Pick by what you actually need to do.

Practical recommendation for new scripts: Get-CimInstance for everything that touches WMI; Get-Process/Get-Service for everyday non-WMI work; only invoke wmic from cmd scripts that must avoid PowerShell and target Windows older than 24H2.

CIM-native equivalents of every wmic alias

Quick lookup for the common aliases. All examples below assume PowerShell 5.1+.

Verbosity, formats, and output parsing

wmic's output formats are a perennial parsing trap. The defaults are wide tables aligned with multiple spaces that vary by host locale; /format:csv injects a Node column that's missing from /format:list; and the encoding is UTF-16 LE with a BOM, which breaks findstr and for /f in cmd.

The robust patterns:

rem 1. Always specify /format explicitly
wmic os get caption,version /format:csv > os.csv

rem 2. Strip the UTF-16 BOM before parsing
powershell -NoProfile -Command "Get-Content os.csv | Out-File os.utf8.csv -Encoding utf8"

rem 3. Use list format for single-record output
wmic cpu get name /format:list

Output:

Name=Intel(R) Core(TM) i7-12700K CPU @ 3.60GHz

rem 4. /value is the most parseable form for scripting in cmd
wmic os get caption,version /value

Output:

Caption=Microsoft Windows 11 Pro
Version=10.0.22631

The KEY=VALUE form is the simplest to consume in a for /f loop.

Performance characteristics

WMI queries are not free. Some classes (notably Win32_Product) trigger a full MSI-installer consistency check that can take 30–60 s and write to the event log. Others are cheap and instantaneous. Knowing which is which prevents bizarre slowdowns in scripts.

The Win32_Product cost in particular is reason enough to prefer Get-Package -ProviderName MSI or winget list for installed-software inventories.

For per-class CIM caching across multiple queries, open a CimSession against . (local host) and reuse it:

$s = New-CimSession
1..5 | ForEach-Object {
    Measure-Command { Get-CimInstance Win32_Process -CimSession $s } |
        Select-Object @{N='Iter';E={$_}}, TotalMilliseconds
}
Remove-CimSession $s

Output:

Iter TotalMilliseconds
---- -----------------
   1            187.42
   2             46.13
   3             41.20
   4             42.81
   5             40.95

The first call is full-cost; subsequent calls reuse cached schema and connection.

Security and audit considerations

WMI is a powerful management surface and is heavily abused by red-team tooling — "WMI persistence" (an __EventConsumer bound to a __FilterToConsumerBinding) is a classic fileless backdoor technique. A few hardening notes:

• Audit WMI namespace ACLs. Get-CimInstance __SystemSecurity -Namespace root/cimv2 | Invoke-CimMethod -MethodName GetSD returns the security descriptor; tighten if the default allows non-admin write.
• Watch for __EventFilter, __EventConsumer, and __FilterToConsumerBinding instances. Legitimate uses are rare; enumerate them periodically.
• WMI event tracing. Enable Microsoft-Windows-WMI-Activity/Operational to log query history during incident response.
• wmic itself is a LOLBin. Many EDR products flag wmic process call create as a launcher; in 2025+ EDRs are also flagging Invoke-CimMethod -MethodName Create similarly. The deprecation of wmic will reduce the attack surface gradually.

# Inventory of WMI persistence artefacts
Get-CimInstance -Namespace root/subscription -ClassName __EventFilter |
    Select-Object Name, Query
Get-CimInstance -Namespace root/subscription -ClassName __EventConsumer |
    Select-Object Name, '__CLASS', CommandLineTemplate
Get-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding |
    Select-Object Filter, Consumer

Output:

Name      Query
----      -----
BVTFilter SELECT * FROM __InstanceModificationEvent WITHIN 60 …

If you see entries in __EventConsumer that weren't installed by Microsoft software, investigate.

Common pitfalls — extended

In addition to the basics above:

7. /node: requires the target's Remote Administration firewall rule. Without it, you get a generic "RPC server is unavailable" error. The PowerShell equivalent (-ComputerName via WinRM) needs port 5985/5986 open, which is a different firewall rule entirely.
8. wmic process call create ignores stdout/stderr. The launched process's output is discarded; capture by writing to a temp file in the command itself.
9. wmic runs interactively if invoked without subcommand. Type wmic alone in cmd and you get a wmic:root\cli> prompt — Ctrl+C exits.
10. PowerShell aliases shadow CIM verbs. Be careful if you create aliases like ps — ps already aliases Get-Process, not Get-CimInstance Win32_Process.
11. WMI repository corruption breaks every consumer. Symptoms: wmic os get caption returns no output, Get-CimInstance throws Provider load failure. Fix with winmgmt /verifyrepository and, in extreme cases, winmgmt /salvagerepository.
12. 24H2 hosts silently fail every wmic call until the optional feature is installed. CI/CD pipelines that produce 24H2 fleet images must test for this.

Forensic and inventory recipes (CIM-native)

Find every process spawned in the last 5 minutes

$cutoff = (Get-Date).AddMinutes(-5)
Get-CimInstance Win32_Process |
    Where-Object { $_.CreationDate -gt $cutoff } |
    Select-Object ProcessId, ParentProcessId, Name, CommandLine, CreationDate |
    Sort-Object CreationDate

Output:

ProcessId ParentProcessId Name        CommandLine                          CreationDate
--------- --------------- ----        -----------                          ------------
    14228           3456 msedge.exe   "C:\Program Files\Microsoft\Edge…"   5/25/2026 2:31:12 PM
    14290          14228 msedge.exe   "...\msedge.exe" --type=gpu-process  5/25/2026 2:31:13 PM

Inventory of disks with health, size, and free space

Get-CimInstance Win32_LogicalDisk -Filter "DriveType=3" |
    Select-Object DeviceId,
        @{N='Size(GB)';E={[int]($_.Size/1GB)}},
        @{N='Free(GB)';E={[int]($_.FreeSpace/1GB)}},
        @{N='Free%';E={[int]($_.FreeSpace/$_.Size*100)}}

Output:

DeviceId Size(GB) Free(GB) Free%
-------- -------- -------- -----
C:            476       48    10
D:           1862      100     5

Network configuration of all active adapters

Get-CimInstance Win32_NetworkAdapterConfiguration -Filter "IPEnabled=True" |
    Select-Object Description, MACAddress,
        @{N='IPv4';E={ ($_.IPAddress | Where-Object { $_ -match '\.' }) -join ',' }},
        DefaultIPGateway, DNSServerSearchOrder

Output:

Description           MACAddress         IPv4          DefaultIPGateway  DNSServerSearchOrder
-----------           ----------         ----          ----------------  --------------------
Intel(R) Wi-Fi 6 AX   12-34-56-78-9A-BC  192.168.1.45  {192.168.1.1}    {1.1.1.1, 9.9.9.9}

Map service to PID and PID to image

$svc = Get-CimInstance Win32_Service -Filter "Name='Spooler'"
$proc = Get-CimInstance Win32_Process -Filter "ProcessId=$($svc.ProcessId)"
[PSCustomObject]@{
    Service    = $svc.Name
    PID        = $svc.ProcessId
    Image      = $proc.ExecutablePath
    CommandLine = $proc.CommandLine
    StartTime  = $proc.CreationDate
}

Output:

Service     : Spooler
PID         : 1648
Image       : C:\Windows\System32\spoolsv.exe
CommandLine : C:\Windows\System32\spoolsv.exe
StartTime   : 5/22/2026 8:14:00 AM

Audit installed software without the Win32_Product penalty

Win32_Product is slow and writes to the event log. The faster, side-effect-free approach is to read both the 32-bit and 64-bit Uninstall registry hives:

$paths = @(
    'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*'
    'HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*'
    'HKCU:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*'
)
Get-ItemProperty -Path $paths -ErrorAction SilentlyContinue |
    Where-Object DisplayName |
    Select-Object DisplayName, DisplayVersion, Publisher, InstallDate |
    Sort-Object DisplayName

Output:

DisplayName                 DisplayVersion  Publisher        InstallDate
-----------                 --------------  ---------        -----------
7-Zip 23.01                 23.01           Igor Pavlov      20241001
Google Chrome               123.0.6312.122  Google LLC       20240312
Microsoft Visual C++ 2022   14.38.33135     Microsoft Corp.  20240120

Same information as wmic product get, but in 50 ms instead of 30 s.

Cross-platform mental model

For Linux admins: WMI is roughly equivalent to procfs + sysfs + systemd-resolved + udev + cgroup accessed through a SQL-like query layer. There's no single Linux tool that does everything WMI does; the closest mapping is class-by-class.

See also

• tasklist — List Running Processes — narrower than wmic process but in-box on every Windows host.
• taskkill — Terminate Processes — preferred over wmic process call terminate in scripts.
• sc — Service Control Manager CLI — focused service control; CIM Win32_Service is broader.
• schtasks — Task Scheduler CLI — the scheduled-task equivalent to wmic for tasks.
• PowerShell basics — for cmdlet syntax fundamentals.
• Sysinternals — PsExec, Handle, ProcMon and the Sysadmin Toolkit — pslist/psservice for sysadmin-level work.

Sources

support.microsoft.com — WMIC removal from Windows · techcommunity.microsoft.com — WMIC deprecation next steps · learn.microsoft.com — Get-CimInstance